Bug 38413 – libitalc is constantly crashing (segfault) in test environments if debuglevel was 2

Bug 38413 - libitalc is constantly crashing (segfault) in test environments if debuglevel was 2


Summary:	libitalc is constantly crashing (segfault) in test environments if debuglevel...

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	iTALC
Version:	UCS@school 4.0
Hardware:	Other Linux

Importance:	P5 critical (vote)
Target Milestone:	UCS@school 4.0 R2
Assigned To:	Sönke Schwardt-Krummrich
QA Contact:	Florian Best

URL:
Keywords:

Depends on:
Blocks:	38415 38703 40502
	Show dependency tree / graph

Reported:	2015-04-30 22:31 CEST by Sönke Schwardt-Krummrich
Modified:	2016-01-26 14:41 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2015-04-30 22:31:43 CEST

In several UCS@school test environments numerous segfaults of the UCS@school computerroom module were noticed:

root@slave81:~# dmesg | grep segfault | tail -1
[125430.710625] univention-mana[24783]: segfault at 0 ip 00007f86125ef16b sp 00007f85ef8107d8 error 6 in libc-2.13.so[7f8612566000+182000]
root@slave81:~# dmesg | grep univention-mana | grep -c segfault
39
root@slave81:~#

When raising the debug level of the UMC modules to 4, the segfault vanished but reappeared when lowering the debug level back to 2.
After enabling core dumps in the UMC server and UMC modules, I were able to catch a core dump of the UCS@school computerroom module that gave interesting information:

See bug 37280 on how to enable core dumps for UMC components. I added 
"ulimit -c unlimited" to /etc/init.d/univention-management-console-server and checked the limits of the UMC module after restarting the UMC server and opening the first UMC module (limit should be "unlimited"):

root@slave81:~# pgrep -f univention-management-console-module
24205
root@slave81:~# cat /proc/24205/limits | grep core
Max core file size        unlimited            unlimited            bytes     
root@slave81:~# 

Next I tried to trigger the segfault. The core file of the module process could be found as "/core".

# ucr set repository/online/unmaintained=yes
# univention-install libc6-dbg italc-dbg gdb
# gdb /usr/bin/python2.7 core
[…]
(gdb) bt
#0  __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:267
#1  0x00007f85f0a88fb5 in CopyRectangle (buffer=<optimized out>, x=<optimized out>, y=<optimized out>, w=800, h=1, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:172
#2  0x00007f85f0a5f1ee in DecompressJpegRect32 (client=client@entry=0x2ff5e00, x=x@entry=0, y=y@entry=0, w=w@entry=800, h=h@entry=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:580
#3  0x00007f85f0a5f3ca in HandleTight32 (client=client@entry=0x2ff5e00, rx=0, ry=0, rw=800, rh=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:146
#4  0x00007f85f0a90d65 in HandleRFBServerMessage (client=0x2ff5e00) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:2101
#5  0x00007f85f0a647a2 in ItalcVncConnection::doConnection (this=this@entry=0x2ba5fa0) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:644
#6  0x00007f85f0a648c8 in ItalcVncConnection::run (this=0x2ba5fa0) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:524
#7  0x00007f861017cd0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#8  0x00007f8613199b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#9  0x00007f861264270d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#10 0x0000000000000000 in ?? ()
(gdb) up
#1  0x00007f85f0a88fb5 in CopyRectangle (buffer=<optimized out>, x=<optimized out>, y=<optimized out>, w=800, h=1, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, 
    client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
    at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:172
172	  case 32: COPY_RECT(32); break;
(gdb) print client->frameBuffer
Unhandled dwarf expression opcode 0xfa
(gdb) up
#2  0x00007f85f0a5f1ee in DecompressJpegRect32 (client=client@entry=0x2ff5e00, x=x@entry=0, y=y@entry=0, w=w@entry=800, h=h@entry=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:580
580	    CopyRectangle(client, (uint8_t *)&client->buffer[RFB_BUFFER_SIZE / 2], x, y + dy, w, 1);
(gdb) print client->frameBuffer
$1 = (uint8_t *) 0x0
(gdb) 

It looks like it is not assured that the frameBuffer is already allocated when handling the first messages comming from the iTALC Windows client.

Comment 1 Sönke Schwardt-Krummrich

2015-05-01 01:17:28 CEST

A comparison of the latest iTALC code (https://github.com/iTALC/italc) with our iTALC code base showed that a null pointer check is missing in the UCS@school code.
A first test with a patched libitalc.so revealed another missing null pointer check:

(gdb) bt
#0  FillRectangle (client=0x32dca00, x=229, y=<optimized out>, w=<optimized out>, h=<optimized out>, colour=14467239) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:151
#1  0x00007f058a33a305 in HandleTight32 (client=client@entry=0x32dca00, rx=229, ry=567, rw=309, rh=33) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:134
#2  0x00007f058a36bc35 in HandleRFBServerMessage (client=0x32dca00) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:2105
#3  0x00007f058a33f6d2 in ItalcVncConnection::doConnection (this=this@entry=0x2b523c0) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:644
#4  0x00007f058a33f7f8 in ItalcVncConnection::run (this=0x2b523c0) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:524
#5  0x00007f05a9a57d0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#6  0x00007f05aca74b50 in start_thread (arg=<optimized out>) at pthread_create.c:304
#7  0x00007f05abf1d70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#8  0x0000000000000000 in ?? ()
(gdb) up
#1  0x00007f058a33a305 in HandleTight32 (client=client@entry=0x32dca00, rx=229, ry=567, rw=309, rh=33) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:134
134	    FillRectangle(client, rx, ry, rw, rh, fill_colour);
(gdb) print client->frameBuffer
$1 = (uint8_t *) 0x0

After patching the libitalc, the segfaults were no longer reproducible.

italc-master_2.0.23-1.74.201505010017_XXX.deb
italc-client_2.0.23-1.74.201505010017_XXX.deb
libitalc_2.0.23-1.74.201505010017_XXX.deb
italc-management-console_2.0.23-1.74.201505010017_XXX.deb
libitalc-dev_2.0.23-1.74.201505010017_XXX.deb
italc-dbg_2.0.23-1.74.201505010017_XXX.deb

xml changelog entry has been added

Comment 2 Florian Best

2015-05-04 14:33:29 CEST

Code-Review: OK, (I hope CopyRectangleFromRectangle() will not cause this again in the future).
Packages [i386/amd64]: OK
Changelog: OK
I could not reproduce the segfault.

Comment 3 Florian Best

2015-05-11 19:24:50 CEST

UCS@school 4.0 R2 v1 has been released:
http://docs.univention.de/release-notes-ucsschool-4.0R2v1-de.html

If this error occurs again, please use "Clone This Bug".